Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
Companies should already be storing password hashes, so the risk of leaking a hash vs a public key is roughly the same. It’s just that private keys are generally longer than passwords and therefore harder to bruitforce.
Any company storing passwords in a recoverable format deserves to be hacked.